The security of personal and business web applications is becoming an increasing concern for anyone invested in eCommerce. Customers expect confidential information to remain secured from the moment they enter a website. A business’s reputation can rest on its ability to protect and secure the entire user experience.
Some industries are required to meet specific security standards to be compliant with their relevant regulations, especially those responsible for user transactions and the sharing of personal information via a web app. This is why tools such as a Web Application Firewall (WAF) are becoming increasingly popular.
The purpose of a Web Application Firewall (WAF) is to protect and enhance the security of individual website applications. A typical stack consists of the front end, mid-tier and backend. A WAF protects the entire application stack by directly interacting with the web server front end to ensure that the traffic passing between the stack and the internet is legitimate and highly secure.
The Web Application Firewall is logically positioned in front of the web server. All traffic to and from the website traverses the WAF using a set of pre-defined policies. It doesn’t matter if the HTTP(S) request is for a Web Server (such as Nginx or Apache), the mid-tier (such as Java or Tomcat), or the backend (typically a database), all traffic is shaped by the WAF.
A WAF is available as a hardware appliance but is most commonly found as a virtual instance these days. The WAF scans each data packet that enters and exits the network. The traffic is inspected, and the WAF determines the destination using filters provided by a set of rules.
Malicious Scripts Are a Major Threat
Web Apps are typically internet-facing and, as a result, the cybersecurity threat is a genuine concern. The Web Application Firewall’s primary job is to protect against malicious scripts and malicious code from running on a website. The most common vulnerabilities targeted include manipulating cross-site request forgery (CSRF), cross-site scripting (XSS), SQL injection, and so on.
Cross-Site Request Forgery (CSRF) is a technique used to allow the execution of unwanted commands inside a web app that a genuine user is currently authenticated against. This attack vector is often combined with social engineering actions to perform state-changing activities such as money transfers, change account passwords, and so on.
Cross-Site Scripting (XSS) is an injection attack into benign and trusted websites. The fake code is hidden inside the web app, and the user’s browser thinks it is only seeing legitimate traffic. The result is that any text input onto a website could be intercepted server-side, and client-side, this could be credit card numbers or bank details, etc.
A SQL Injection attack inserts fake SQL queries into a web application frontend, the idea is that the attack can traverse the stack to the backend database and execute or modify database actions. The goal of the exploit is usually to extract data, modify it, or even to destroy the data.
Malicious scripts are serious business, and cybercriminals are increasingly targeting businesses and individuals with progressively sophisticated attacks. Cyber threats can potentially steal sensitive data, run crypto-mining malware, and install ransomware or other forms of malware on the victim’s server infrastructure.
All malicious code has to hide in plain sight to skim confidential data from the public. This is why smaller retailers are typically targeted as they are considered to have weaker security than most of the bigger players in eCommerce.
Advanced obfuscation techniques can be used to bypass weak website security tools, according to Medium, this is done in 3 ways; by using randomization obfuscation (also known as garbage code insertion); Data Obfuscation by encoding custom functions or renaming functions and variables; and by Logic Structure Obfuscation such as conditional branches (else or switch statements)
The trick is to determine what code is malicious, and what code is legitimate. Some sites use obfuscation genuinely to hide sensitive data from the public (such as email addresses) or if the web app developers are trying to hide proprietary website code from being plagiarized.
What this means to website owners is that the risk of data being compromised is quite significant, and the best way to thwart this type of attack is to use a Web Application Firewall (WAF).
Protecting Against Malicious Scripts
Provisioning a Web Application Firewall is arguably one of the best ways to protect against malicious scripts infecting your website. The WAF still requires configuring and managing, thankfully lots of providers offer a WAF as part of a managed service. If you opt to self-manage, make sure the block lists and allow lists are updated and reviewed regularly, and the WAF is monitored 24x7x365.
One advanced feature is virtual patching, it enables security policies to be fine-tuned, and allows users to remove false positives. By combining the WAF with an Intrusion Prevention System you can intelligently patch against known exploits. This keeps businesses one step ahead and enables the WAF to be hardened against new cybersecurity vulnerabilities as soon as they are discovered.
The WAF should form part of a wider security policy, which may include implementing additional network edge services to defend against DDoS attacks or signing up to a Content Delivery Network (CDN) to reduce the attack surface of a web app. Regular patching of the web application software, the server operating system, and the underlying hardware is essential. Software vendors spend a lot of time and money investing in security updates for their products, so take time to ensure you are up-to-date.